Saturday, January 28, 2012

Gmail App Security Issues on iPhone/iPad/iPod

Here is a quick note that will help at having a look at the behavior of the GMAIL application on iOS (iPhone/iPod/iPad). We focus on updated iOS 5.0.1 with the latest GMAIL App (1.1.0) taken from the Apple Store at the time of this writing. Google will probably patch these security issues more quickly than the time for you to read these humble thoughts.

Some believe it might be more secure to read emails through supposed to be light applications on i-devices, as the emails are probably more localized on the remote web resources, etc.

Through the eyes of an attacker, let's see that a stolen/lost/powned iPhone/iPad could for example help at revealing the content of your emails, contacts, etc.

Moreover, important authentication schemes do not follow Apple security guidelines for developers. This might help an attacker at retrieving interesting cookies in clear text, and then it's possible to hijack a Gmail session and to steal sensitive information as you'll see further.

A fresh new vulnerability ? Let's read...

Saturday, August 13, 2011

GooglePlus Reader: Privacy Checker

Update 10th Sep 2011: Google silently patched this privacy/security issue for iPhone - See further

 Here is a quick post related to privacy issues with some Google Plus readers.

The main problem is that some Google Plus readers might reveal your IP address (and technical stuff), to the remote owners of G+ profiles, while you browse/read them.

This privacy issue is related to the technical way that pictures of remote profiles are loaded in the readers, in order to be displayed (look at the structure of the web pages if you need more details, etc).

This could be used to either track people using Google Plus, or to create more advanced threats.

Here is an example with the iPhone App called "Google+". 

This application is "vulnerable" to  those privacy issues, because it tries to load pictures directly from the remote web sites, whereas a standard web browser would use Google services only.

Monday, April 25, 2011

Disabling iPhone Tracking ? Do it Yourself (DiT?DiY)


An iPhone iOS4 built-in tracking feature was recently discussed publicly as sharp people, Alasdair Allan and Pete Warden, created an opensource application called iPhone Tracker.

A file called "consolidated.db", that exists on iPhones and 3G iPads, contains enough information to map users movements thanks to tracking capabilities containing interesting stuff, like MAC Addresses of Access Points, GSM details, etc.

Since it became more public (and beyond the fact that it was already known..), tons of people are thinking that it could be a malicious feature from Apple. Here in this blog, we won't focus on political or strategic answers.

We just want to play our role: looking at technical security issues in this world of never-ending growing dependancies between humans and technologies. By the way, we don't want to repeat excellent analysis that already exist on many places over the web.

So, let's try to think about a solution for owners of iPhones who need strong privacy.

Saturday, March 19, 2011

Quick BlackBerry Security Check

Here is just a quick note related to the security of BlackBerry devices. At the beginning, it was written for some non technical contacts who told us that they got lost related to recent exploits against BB devices seen in newspapers, etc. 

So, it you happen to be a lucky BlackBerry owner, or an administrator of a large BB network, here is an easy and quick way to check the security of your smartphone(s).
You or your end users just have to browse this web page from your device:

For now, this web page will freely do basic checks for you, and will report if you look like being potentially vulnerable against this list of exploits:

Monday, March 7, 2011

About iPhone iOS 4.3 Personal Hotspot

During the latest Apple Special Event of March 2011, Apple CEO Steve Jobs announced new features and products. One of those masterpieces is a new option called “Personal Hotspot”. This new functionality transforms your iPhone into a Wireless Access Point, so that you can share your 3G connections. This will be released in few days with the next iPhone update (iOS 4.3). So now let's share few words about this new (awesome) Apple add-on, with geeky and security eyes. The question asked: is that secure to turn your iPhone into a Wireless Access Point?

As you can see, once you’ll have downloaded the future iOS 4.3 on your iPhone 4, the improved “Settings” panel will propose a “Personal Hotspot” sub-menu. Then if you enable Wifi, this option will allow you to connect multiple devices to a single iPhone, which will become a Wireless Access Point. Like that, you should be able to share your cellular data connection with up to five devices at once (up to three devices over Bluetooth, one device over USB, and three devices over Wifi, knowing that hotspot tethering plans might have to be subscribed with your carrier).

On Apple web site, it's written that every connection is password protected and secure, so we wanted to have a quick check of those new options.

Wednesday, January 19, 2011

BlackHat DC 2011: Inglourious Hackerds

Washington DC, USA, January 2011.

We are currently at the awesome BlackHat DC event, with hundreds of attendees coming from many different countries worldwide. We were invited here for the BlackHat Briefings, in order to give a talk, called "Inglourious Hackerds, Targeting Web Clients".

It was a pretty nice opportunity for us to explain some of our tricks related to client-side attacks in a web environment. For example, we talked about the vulnerabilities we found in 2010, that could allow you to either hack a remote web browser, or to counter-attack, etc.
Indeed we explained how we got some 0days against multiple different devices, by either fuzzing or pentesting those tools with  a blackbox behavior, exactly like when we do penetration tests on highly sensitive places for our customers.

Friday, November 12, 2010

Black Hat Briefings, Abu Dhabi, UAE 2010

This week, we got invited as speakers at the very new IT Security event in the Middle East: Black Hat Abu Dhabi 2010. This event got three tracks of Brieļ¬ngs with more than twenty renowned speakers plus some trainings over four days, with tons of attendees - many of them coming from the GCC area.

Thanks to the support of local organization involved in IT and Security ( TRA Telecommunications Regulation Authority + UAE CERT (aeCERT) + Khalifa University ), this event was wonderful and moreover, it happened in a marvelous place ( Emirates Palace ).

On our side, we had a slot for a one hour talk, called "Extrusion and Web Hacking". Our goal was to share concepts related to data exfiltration and bounces off a remote compromised web server. Indeed, we are all focusing on how people try to get an illegal access. But it's quite interesting to think about how the bad guys are trying to escape from the remote controlled devices or computers, once they're in, as we gonna see in this article.

Thursday, November 11, 2010

CVE-2010-1752: Back to the Mac

Exploiting CFNetwork (Apple)

In February 2010, TEHTRI-Security found a stack overflow related to CFNetwork on Apple products, through the code used to handle URL. As we've been doing ethical hacking and penetration tests for more than 15 years on highly sensitive networks, we automatically contacted Apple security folks, in order to help at improving their products.

Basically, we found that by visiting a maliciously crafted website, it could lead to an unexpected application termination or arbitrary code execution. Let's have a look at some details related to our works and to Apple patches.

In this article we will only focus on threats and exploits that worked against iPhone, iPod touch, Mac OS X and Mac OS X server.

Please notice that Apple customers were never threaten by those security issues, as TEHTRI-Security only shared technical information with the Cupertino security team directly, and as tested robust upgrades are now available to the public.

Sunday, October 31, 2010

Web In The Middle, Attacking Clients: FireSheep

Hack In The Box Amsterdam 2010 - TEHTRI-Security
There are so much news related to this new offensive Firefox extension, called FireSheep, that I wanted to share tiny thoughts here. 

This tool allows an attacker to use data collected through frames sniffed off the network, by displaying potential local victims directly in her Firefox. 

Then it's possible to abuse those clear text sessions caught from the local network. For example, one can directly impersonate a Facebook or Twitter session, etc, that occurred without ciphering on the network.

Tuesday, October 19, 2010

Hack In The Box SecConf, Kuala Lumpur, Malaysia 2010

Last week, we were invited at the famous HITBSecConf event organized by L33tdawg and his extended team (people from NL + MY). This amazing event got hundreds of people coming from all over the world, down to the center of Kuala Lumpur. You could easily meet either evil/good hackers, phone phreakers, IT managers, lockpickers, senior IT security people, etc. 

Many activities were proposed to the attendees, like special technical workshops, hacking challenges, lockpicking activities, and of course international talks & advanced trainings.

The first couple of days, we organized a new offensive training in a room full of 16 students coming from very interesting places like cutting-edge | sensitive | huge companies (Fortune 500...), and also from government agencies all around the world. 

This 2-days course was called "Hunting Web Attackers", and has been created to prepare white-hats and to improve their skills in this already running cyber-struggle against web attackers. 

Tuesday, September 7, 2010

New training "Hunting Web Attackers" full of 0days

TEHTRI-Security will release many 0days and offensive technologies during a new training called : "Hunting Web Attackers"

For the very first time, it will be proposed during HackInTheBox SecConf Malaysia 2010 in October, in Kuala Lumpur.

Some 0days will be disclosed under a NDA (for students only) and will help at fighting back web attackers, as we already explained in the past in China and in Singapore (SyScan).

As a teaser, this blog message contains one of our remote 0day exploits. We also found 0days against Zeus, Eleonore, CrimePack, etc.

Monday, August 2, 2010

Web In The Middle, Attacking Clients

TEHTRI-Security was invited to give a talk called "Web In The Middle, Attacking Clients", at the first Hack In The Box Europe, Amsterdam ( ).

During our talk, we released multiple advisories and we explained many issues related to some vulnerabilities. You can find more public information through the slides available online. Here are some related details that we wanted to share with you :

o CVE-2010-1752: TEHTRI-Security inside the iPhone iOS4

TEHTRI-Security found a stack overflow in CFNetwork API, through the code used to handle URL.

Thursday, July 1, 2010

The Empire Strikes Back

As announced by email (FD, BT..) we released 13 0days and new offensive concepts against most of the tools currently used by web attackers, like web shells, exploit packs, etc, during our new talk. It happened mid-june in Singapore, during the SyScan International Conference :

We proposed new methods to counter-strike intruders with our new exploits giving you remote shells, remote SQL injection, permanent XSS and dangerous XSRF, against remote tools used by attackers.

It's time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues.

Friday, June 4, 2010

French Touch

From what we got in our logs those months, we got many security issues coming from french IP addresses. Seems that there are many funny curious people or so called friends out there. The most incredible logs we got, are coming from some public services (gov) like, for example, the postal mail service, and the national energy department. Either they are compromised and someone is bouncing from there networks, or they are really curious.

Thursday, June 3, 2010

A funny SQL attacker

Today, we would like to applause the winner of our logs : "mi*ch*"

Here is a decoded sample of his web session, trying to figure out if an SQL injection would be possible or not against one of our monitored web server.

Wednesday, June 2, 2010

TEHTRI-Security: This is not a game

Hi all, welcome to our new blog. We already had a facebook account, a twitter account and a web site. But we found that a blog would help us at providing some different kind of things like tiny technical texts to share, etc. This will allows us to put some ideas, logs, tech stuffs, etc, without thinking to much, compared to classical official articles, etc. Have fun here on our blog, and welcome to you.